OWASP Java Encoder Project

1.0

java-encoder

https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#advanced Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]>", it will be replaced by "]]>]]<![CDATA[>". As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries.

forCDATA

org.owasp.encoder.tag.ForCDATATag

empty

The value to be written out value true true java.lang.String This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods.

forHtmlContent

org.owasp.encoder.tag.ForHtmlContentTag

empty

value to be written out value true true java.lang.String Encodes for XML and XHTML attribute content.

forXmlAttribute

org.owasp.encoder.tag.ForXmlAttributeTag

empty

value to be written out value true true java.lang.String Encodes for XML and XHTML.

forXml

org.owasp.encoder.tag.ForXmlTag

empty

value to be written out value true true java.lang.String Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. Since this performs additional encoding so it can work in all of the JavaScript contexts listed, it may be slightly less efficient then using one of the methods targetted to a specific JavaScript context: forJavaScriptAttribute, forJavaScriptBlock, or forJavaScriptSource. Unless you are interested in saving a few bytes of output or are writing a framework on top of this library, it is recommend that you use this method over the others.

forJavaScript

org.owasp.encoder.tag.ForJavaScriptTag

empty

value to be written out value true true java.lang.String This method encodes for JavaScript strings contained within HTML script attributes (such as onclick). It is NOT safe for use in script blocks. The caller MUST provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / is not escaped.

forJavaScriptAttribute

org.owasp.encoder.tag.ForJavaScriptAttributeTag

empty

value to be written out value true true java.lang.String This method encodes for JavaScript strings contained within HTML script blocks. It is NOT safe for use in script attributes (such as onclick). The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String)} with the exception that " and ' are encoded as \" and \' respectively.

forJavaScriptBlock

org.owasp.encoder.tag.ForJavaScriptBlockTag

empty

value to be written out value true true java.lang.String This method encodes for JavaScript strings contained within a JavaScript or JSON file. This method is NOT safe for use in ANY context embedded in HTML. The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / and & are not escaped and " and ' are encoded as \" and \' respectively.

forJavaScriptSource

org.owasp.encoder.tag.ForJavaScriptSourceTag

empty

value to be written out value true true java.lang.String Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant.

forHtmlUnquotedAttribute

org.owasp.encoder.tag.ForHtmlUnquotedAttributeTag

empty

value to be written out value true true java.lang.String Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute.

forUri

org.owasp.encoder.tag.ForUriTag

empty

value to be written out value true true java.lang.String Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means.

forCssUrl

org.owasp.encoder.tag.ForCssUrlTag

empty

value to be written out value true true java.lang.String Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. (X)HTML comments may be interpreted by browsers as something other than a comment, typically in vendor specific extensions (e.g. <--if[IE]-->. For (X)HTML it is recommend that unsafe content never be included in a comment.

forXmlComment

org.owasp.encoder.tag.ForXmlCommentTag

empty

value to be written out value true true java.lang.String Encodes for HTML text attributes.

forHtmlAttribute

org.owasp.encoder.tag.ForHtmlAttributeTag

empty

value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes.

forHtml

org.owasp.encoder.tag.ForHtmlTag

empty

value to be written out value true true java.lang.String Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods.

forXmlContent

org.owasp.encoder.tag.ForXmlContentTag

empty

value to be written out value true true java.lang.String Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component.

forUriComponent

org.owasp.encoder.tag.ForUriComponentTag

empty

value to be written out value true true java.lang.String Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML.

forCssString

org.owasp.encoder.tag.ForCssStringTag

empty

value to be written out value true true java.lang.String Encodes for (X)HTML text content and text attributes.

forHtml

org.owasp.encoder.Encode

java.lang.String forHtml(java.lang.String)

forHtml(unsafeData) This method encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods.

forHtmlContent

org.owasp.encoder.Encode

java.lang.String forHtmlContent(java.lang.String)

forHtmlContent(unsafeData) Encodes for HTML text attributes. forHtmlAttribute

org.owasp.encoder.Encode

java.lang.String forHtmlAttribute(java.lang.String)

forHtmlAttribute(unsafeData) Encodes for unquoted HTML attribute values. forHtml(String) or forHtmlAttribute(String) should usually be preferred over this method as quoted attributes are XHTML compliant.

forHtmlUnquotedAttribute

org.owasp.encoder.Encode

java.lang.String forHtmlUnquotedAttribute(java.lang.String)

forHtmlUnquotedAttribute(unsafeData) Encodes for CSS strings. The context must be surrounded by quotation characters. It is safe for use in both style blocks and attributes in HTML.

forCssString

org.owasp.encoder.Encode

java.lang.String forCssString(java.lang.String)

forCssString(unsafeData) Encodes for CSS URL contexts. The context must be surrounded by "url()". It is safe for use in both style blocks and attributes in HTML. Note: this does not do any checking on the quality or safety of the URL itself. The caller should insure that the URL is safe for embedding (e.g. input validation) by other means.

forCssUrl

org.owasp.encoder.Encode

java.lang.String forCssUrl(java.lang.String)

forCssUrl(unsafeData) Performs percent-encoding of a URL according to RFC 3986. The provided URL is assumed to a valid URL. This method does not do any checking on the quality or safety of the URL itself. In many applications it may be better to use java.net.URI instead. Note: this is a particularly dangerous context to put untrusted content in, as for example a "javascript:" URL provided by a malicious user would be "properly" escaped, and still execute.

forUri

org.owasp.encoder.Encode

java.lang.String forUri(java.lang.String)

forUri(unsafeData) Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component.

forUriComponent

org.owasp.encoder.Encode

java.lang.String forUriComponent(java.lang.String)

forUriComponent(unsafeData) Encodes for XML and XHTML.

forXml

org.owasp.encoder.Encode

java.lang.String forXml(java.lang.String)

forXml(unsafeData) Encodes for HTML text content. It does not escape quotation characters and is thus unsafe for use with HTML attributes. Use either forHtml or forHtmlAttribute for those methods.

forXmlContent

org.owasp.encoder.Encode

java.lang.String forXmlContent(java.lang.String)

forXmlContent(unsafeData) Encodes for XML and XHTML attribute content.

forXmlAttribute

org.owasp.encoder.Encode

java.lang.String forXmlAttribute(java.lang.String)

forXmlAttribute(unsafeData) Encoder for XML comments. NOT FOR USE WITH (X)HTML CONTEXTS. (X)HTML comments may be interpreted by browsers as something other than a comment, typically in vendor specific extensions (e.g. <--if[IE]-->. For (X)HTML it is recommend that unsafe content never be included in a comment. forXmlComment

org.owasp.encoder.Encode

java.lang.String forXmlComment(java.lang.String)

forXmlComment(unsafeData) Encodes data for an XML CDATA section. On the chance that the input contains a terminating "]]>", it will be replaced by "]]>]]<![CDATA[>". As with all XML contexts, characters that are invalid according to the XML specification will be replaced by a space character. Caller must provide the CDATA section boundaries.

forCDATA

org.owasp.encoder.Encode

java.lang.String forCDATA(java.lang.String)

forCDATA(unsafeData) Encodes for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string. Since this performs additional encoding so it can work in all of the JavaScript contexts listed, it may be slightly less efficient then using one of the methods targetted to a specific JavaScript context: forJavaScriptAttribute, forJavaScriptBlock, or forJavaScriptSource. Unless you are interested in saving a few bytes of output or are writing a framework on top of this library, it is recommend that you use this method over the others.

forJavaScript

org.owasp.encoder.Encode

java.lang.String forJavaScript(java.lang.String)

forJavaScript(unsafeData) This method encodes for JavaScript strings contained within HTML script attributes (such as onclick). It is NOT safe for use in script blocks. The caller MUST provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / is not escaped.

forJavaScriptAttribute

org.owasp.encoder.Encode

java.lang.String forJavaScriptAttribute(java.lang.String)

forJavaScriptAttribute(unsafeData) This method encodes for JavaScript strings contained within HTML script blocks. It is NOT safe for use in script attributes (such as onclick). The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String)} with the exception that " and ' are encoded as \" and \' respectively.

forJavaScriptBlock

org.owasp.encoder.Encode

java.lang.String forJavaScriptBlock(java.lang.String)

forJavaScriptBlock(unsafeData) This method encodes for JavaScript strings contained within a JavaScript or JSON file. This method is NOT safe for use in ANY context embedded in HTML. The caller must provide the surrounding quotation characters. This method performs the same encode as Encode.forJavaScript(String) with the exception that / and & are not escaped and " and ' are encoded as \" and \' respectively.

forJavaScriptSource

org.owasp.encoder.Encode

java.lang.String forJavaScriptSource(java.lang.String)

<%@page contentType="text/javascript; charset=UTF-8"%> var data = '${forJavaScriptSource(unsafeData)}';